Why the Basement Hacker Stereotype is Wrong and Dangerous

Why the Basement Hacker Stereotype is Wrong and Dangerous
“It could be Russia, but it could also be China. It could be many people. It could be someone who sleeps on a bed that weighs 400lbs. These comments were made during a 2016 presidential debate and may be the most infamous and cringeworthy manifestations of what I call the Basement Hacker stereotype. The Basement Hacker idea is still popular even after all these years. This media stereotype portrays threat actors as isolated, dysfunctional and dressed exclusively in black sweatshirts and hooded sweatshirts.
The Basement Hacker is fundamentally a misunderstanding of cyber adversary. Sun Tzu said in The Art of War that “If you don’t know your enemy but you do know yourself, you will lose every victory.” Organizations of all sizes have the Basement Hacker myth to give them a false sense that they are superior to threat actors. They perceive them as untrained, benign, or weird. If left unchecked this sense of superiority can lead to complacency among executives responsible for security budgets and risk managers. This can lead to underinvestment in security teams or overreliance on automation.
The stereotype of the Basement Hacker is also damaging in subtle ways. The ongoing debate about the value of certifications or educational programs is a constant one among the vibrant and ever-expanding community aspiring cybersecurity professionals as well as the industry players who market education services and thought leadership to them. Cyber educators, industry veterans, and emerging professionals debate whether certifications are worthwhile, which ones to choose, and how to get the most cost-effective skills.
A brand manager at a cyber training company asked rhetorically in a recent social media post: “Why do you need a certificate/degree to work as a cybersecurity professional?” People who exploit your networks and applications aren’t certified or have degrees don’t need them. This post and others like it receive strong engagement in the form hundreds of reactions, dozens of comments, and shares.
This message, which is firmly based upon the Basement Hacker stereotype as an untrained and disorganized adversary contains several elements effective misinformation. To build credibility, it boldly challenges the accepted wisdom that cybersecurity jobs require a degree or certification. It makes broad generalizations to claim that successful attackers lack formal education and credentials. This could be a tempting message for those who are interested in becoming cybersecurity professionals without breaking the bank.
It exploits human insecurity. This would make a student wonder “Why am I spending all this money on tuition and formal training when the truly elite hackers don’t have either?” The result? The myth perpetuated, and emerging professionals are not informed or under-informed about the true nature of this threat.
Organizations like the Mandiant Intelligence Center and FireEye, as well as academic cybercrime researchers, have documented, formal training programmes, organizational hierarchies and specific skill categories that are required by the most dangerous adversaries in the world. Mandiant/FireEye, for example, found in its 2016 report that Unit 61398 recruits new talent from universities like Harbin Institute of Technology and Zhejiang School of Computer Science and Technology.
Most of the ‘profession codes,’ which describe positions Unit 61398 is looking to fill, require high-tech computer skills. This group appears to be in constant need of strong English profi